Univention Bugzilla – Bug 52415
python3.5: Multiple issues (4.4)
Last modified: 2020-11-25 12:08:13 CET
New Debian python3.5 3.5.3-1+deb9u3 fixes: This update addresses the following issues: * infinite loop in the tarfile module via crafted TAR archive (CVE-2019-20907) * CRLF injection via HTTP request method in httplib/http.client (CVE-2020-26116)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/python3.5_3.5.3-1+deb9u2.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/python3.5_3.5.3-1+deb9u3.dsc @@ -1,3 +1,17 @@ +3.5.3-1+deb9u3 [Wed, 18 Nov 2020 16:09:16 -0500] Roberto C. Sánchez <roberto@debian.org>: + + * Non-maintainer upload by the LTS Team. + + [ Thorsten Alteholz ] + * CVE-2019-20907: In Lib/tarfile.py, an attacker is able to craft a TAR + archive leading to an infinite loop when opened by tarfile.open, because + _proc_pax lacks header validation + * CVE-2020-26116: http.client allows CRLF injection if the attacker controls + the HTTP request method + + [ Roberto C. Sánchez ] + * Update expired SSL certificates in unit test suite. + 3.5.3-1+deb9u2 [Thu, 09 Jul 2020 15:00:10 +0200] Sylvain Beucler <beuc@debian.org>: * Non-maintainer upload by the LTS Security Team. <http://10.200.17.11/4.4-6/#6646714487351793130>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-6] eaacfeea0b Bug #52415: python3.5 3.5.3-1+deb9u3 doc/errata/staging/python3.5.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x818>